Hybrid Secure Storage Devices

Karl Paulsen

Users of computer and server systems may have self-encrypting and/or hybrid hard disk drives and not be aware of it. These two types of storage devices are relatively new to the general purpose computing industry; however they’ve been around for some time just in different form factors.

When a hard disk drive contains some level of NAND Flash memory, it is most likely considered a “hybrid-HDD.” The addition of the NAND Flash serves as a nonvolatile cache, allowing the rotating memory device to possess the properties of solid-state storage (SSS). The boundaries of SSS are expanding, and may be found in solid-state modules, cards and solid-state drives (SSD). The interfaces for SSS devices include SAS, SATA, PCIe and Fibre Channel; allowing the devices to be used in numerous applications and at various performance levels. SSS are essentially non-volatile caches; that is, the data is retained through a power cycle, improving performance and reducing time periods generally set as routine operations.

The main point of adding SSS devices to spinning disk (also called rotating magnetic media) is to improve access time and reduce latency. In most HDDs, software algorithms essentially learn the patterns of where certain data is and how to predict when that data needs to be accessed. When SSS is added to the HDD, on-board firmware will use the access patterns it learns to optimize access performance by reducing latency. Firmware on SSS devices do this by placing the frequently accessed data (including system files and applications), into the NAND Flash cache added to the hybrid-HDD.

Alternatively, rather than employing a hybrid-HDD, some systems will use “storage pairing;” a combination of a lower-cost SSS and a high-capacity HDD. The SSS provides for fast access to commonly needed files and allows for a much faster boot time. The SSS also performs garbage collection, a background process where blocks of data marked for deletion are accumulated and then whole block erasure occurs on that “garbage,” reclaiming that space for upcoming write operations. Garbage collection, when employed on SSS, improves write performance by eliminating individual erasures of no longer needed block data prior to each write, instead of making the cell erasure happen at the time of each write function.

Fig. 1: Self-encrypting drives (SED) automatically encrypt data during the write process, then decrypt (restore) the data at each read command. Users may not be aware this is happening and need to do nothing more than provide a password as they would for a conventional network login. Data on the drive is useless if stolen or compromised.
Another feature of the hybrid-HDD integration or standalone SSS devices is called the “trim command.” This is an operating system function that informs the NAND Flash which data blocks are no longer needed and issues an erase command for those blocks. At the time of a typical write process, the firmware must first issue an erase command for a data block area, then perform the actual write-to command. By predictively erasing the unused (or no longer needed) blocks ahead of a write command, the entire new write process is accelerated.

Endurance of the SSS device is of paramount importance to users, especially as costs and performance for the SSS devices approach the price of HDD or physical memory. Of concern is the life expectancy of a NAND-Flash memory, which is determined by the number of erasures across the Flash cells. “Wear Leveling” is the term applied to a set of firmware algorithms that the Flash-controller uses to distribute erases and write commands across the entire array of Flash cells in the SSS. The goal of the wear leveling algorithm is to prolong the useful life of the SSS (i.e., in Flash-based storage) by delaying individual cell wear-out.

Data integrity and data security remain up-and-coming and accelerating issues, especially for mobile devices. Since more users depend upon mobile devices (phones, tablets, SSD-only laptops, etc.), the need and ability to protect data should the device be compromised is a growing concern.

Data integrity is an assurance that the data is valid, is not destroyed and remains unaltered through the course of an unauthorized process, activity or manner of use. From a security perspective, data encryption is a process that protects user data from unauthorized access. The integrity and security methodologies utilized are subjects of both concern and of contention in this rapidly developing SSS domain.

Self-encrypting devices (SED) are relatively recent additions to the rotating magnetic memory marketplace that are now joining the ranks of the SSS space en masse. SEDs embed encryption logic directly into the drive’s silicon, meaning the process is permanent and unalterable. An SED will automatically encrypt data as it is written to the device or drive, then decrypt all the data from the media automatically. Very strong passwords, up to 32 bytes, are permitted by the Trusted Computing Group. TCG is the international vendor-neutral standards group that publicizes specifications and uses membership implementation as examples to protect business-critical data and systems.

Obviously, a serious drawback to the SED is that users must rely on their passwords for access. The loss of a password essentially becomes the demise and failure point of the SSS or HDD. Data recovery companies are addressing this issue more frequently, as users discover their own lack of memory in password-remembrance processes. Further encumbrances occur, for example, when an employee/user is dismissed from a company with computer data stored on an SED. If that user’s password was changed or never registered, the data stored may not be recoverable without great cost and risk.

Yet there still remains only marginal interest in self-encrypting drives (SSS or HDD), due in part to the older poor-performance perceptions about SED-based storage. For newer SSDs, SEDs do not measurably impact performance; however, managing the keys (i.e., “key management”) can be complex and burdensome for large multiple drive systems. In larger systems, the loss of one password could mean the loss of entire data sets, thus new and broader schemes for data storage are evolving.

The technologies and the issues presented herein are becoming everyday issues as fraud and thefts increase, and the demands for increased performance grow. Knowing the options and architectures of storage systems just became a little more complex and a lot more variable, demanding that new perspectives be understood and enacted to ensure integrity and improve workflows.

Karl Paulsen, CPBE and SMPTE Fellow, is the CTO at Diversified Systems. Read more about storage topics in his most recent book “Moving Media Storage Technologies.” Contact Karl atkpaulsen@divsystems.com.

Karl Paulsen

Karl Paulsen is the CTO for Diversified, the global leader in media-related technologies, innovations and systems integration. Karl provides subject matter expertise and innovative visionary futures related to advanced networking and IP-technologies, workflow design and assessment, media asset management, and storage technologies. Karl is a SMPTE Life Fellow, a SBE Life Member & Certified Professional Broadcast Engineer, and the author of hundreds of articles focused on industry advances in cloud, storage, workflow, and media technologies. For over 25-years he has continually featured topics in TV Tech magazine—penning the magazine’s Storage and Media Technologies and its Cloudspotter’s Journal columns.